In [None]:
# Splunk Cheat Sheet

---

## 1) Basic Commands
| Command    | Description                                      | Example                                |
|------------|--------------------------------------------------|----------------------------------------|
| search     | Initiates a search for events                    | index=web_logs status=200               |
| index      | Specifies the index to search within             | index=web_logs                          |
| sourcetype | Filters events based on sourcetype               | sourcetype=apache_access                |

---

## 2) Filtering and Extraction
| Command | Description                                | Example                                                                 |
|---------|--------------------------------------------|-------------------------------------------------------------------------|
| where   | Filters events based on conditions         | index=logs \| where status="error"                                      |
| eval    | Creates or modifies fields                 | index=logs \| eval latency_ms=response_time/1000 \| table latency_ms    |
| rex     | Regex extraction on fields                 | index=logs \| rex field=message "Error: (?<error_message>.*)"           |
| erex    | Enhanced regex with named capture groups   | index=logs \| erex "Error: (?<error_message>.*)"                        |

---

## 3) Aggregation and Statistics
| Command     | Description                                           | Example                                        |
|-------------|-------------------------------------------------------|------------------------------------------------|
| stats       | Generates statistics/calculations                     | index=sales \| stats sum(price) as total_sales by product |
| timechart   | Creates time-based charts                             | index=web_logs \| timechart count by status     |
| chart       | Generates charts/graphs                               | index=web_logs \| chart avg(response_time) by uri |
| eventstats  | Adds statistics results as new fields                 | index=transactions \| eventstats avg(amount) as avg_amount by user |

---

## 4) Grouping and Transactional Analysis
| Command               | Description                                  | Example |
|------------------------|----------------------------------------------|---------|
| transaction            | Groups related events into transactions      | index=transactions \| transaction user startswith="login" endswith="logout" |
| stats count by         | Counts unique values                         | index=web_logs \| stats count by status |
| stats earliest/latest  | Retrieves first and last events              | index=logs \| stats earliest(_time) as first_event latest(_time) as last_event by user |

---

## 5) Field Manipulation
| Command       | Description                                    | Example |
|---------------|------------------------------------------------|---------|
| fields        | Specifies fields to include                    | index=logs \| fields timestamp, source, message |
| rename        | Renames fields                                 | index=logs \| rename old_field as new_field |
| fieldformat   | Formats field values                           | index=metrics \| eval formatted_latency = fieldformat(response_time, "duration") |
| addcoltotals  | Adds row/column totals                         | index=sales \| addcoltotals useother=f sum(price) as total_price |

---

## 6) Data Transformation
| Command        | Description                                   | Example |
|----------------|-----------------------------------------------|---------|
| rex mode=sed   | SED-like regex replacements                   | index=logs \| rex mode=sed field=description "s/error/warning/g" |
| spath          | Extracts structured data (JSON/XML)           | index=logs \| spath input=raw output=uri path=uri |
| spath default  | Extracts structured data w/ default values    | index=logs \| spath input=raw output=page path=uri default="Unknown" |

---

## 7) Lookup and Enrichment
| Command      | Description                            | Example |
|--------------|----------------------------------------|---------|
| lookup       | Enrich data with lookup tables         | index=logs \| lookup user_info.csv username as user |
| inputlookup  | Loads lookup data                      | \| inputlookup user_info.csv |
| outputlookup | Saves results to a lookup file         | index=logs \| stats count by user \| outputlookup user_counts.csv |

---

## 8) Advanced Analysis
| Command          | Description                               | Example |
|------------------|-------------------------------------------|---------|
| eval case()      | Conditional evaluation                   | index=logs \| eval priority=case(severity=="High","Urgent",severity=="Medium","Normal",true(),"Low") |
| eval coalesce()  | First non-null value                      | index=logs \| eval info=coalesce(critical_message,warning_message,info_message) |
| eval round()     | Round numeric fields                      | index=metrics \| eval rounded=round(value,2) |
| eval mvjoin()    | Join multivalue fields                    | index=events \| eval tags=mvjoin(tags,", ") |
| eval strftime()  | Convert Unix timestamp to readable date   | index=logs \| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") |

---

## 9) Subsearch and Correlation
| Command  | Description                             | Example |
|----------|-----------------------------------------|---------|
| subsearch| Embed a subsearch                       | index=access_logs [ search index=error_logs \| stats count ] |
| tstats   | Accelerated statistics query            | \| tstats count where index=web_logs by sourcetype |

---

## 10) Visualization and Reporting
| Command    | Description                           | Example |
|------------|---------------------------------------|---------|
| timechart  | Time-based chart with span            | index=web_logs \| timechart span=1h sum(response_time) |
| geostats   | Geospatial statistics                 | index=locations \| geostats count by city |
| chart      | Charts with nulls / overlay / bins    | index=logs \| chart count by user usenull=f |
| rangemap   | Map field values to ranges            | index=sales \| rangemap price output_field=price_range |

---

## 11) Alerting and Monitoring
| Command   | Description                      | Example |
|-----------|----------------------------------|---------|
| alert     | Create alerts                    | index=errors \| stats count as error_count \| alert threshold=100 "High Error Count" |
| collect   | Store events for future analysis | index=access_logs \| collect index=access_history |
| track_alert | Tracks alert activity          | index=_audit action="alert_fired" \| stats count by alert |

---

## 12) Working with Time
| Command       | Description                          | Example |
|---------------|--------------------------------------|---------|
| strptime      | Convert string → timestamp           | index=logs \| eval event_time=strptime(timestamp,"%Y-%m-%d %H:%M:%S") |
| earliest/latest | Define search time range           | index=logs earliest=-7d latest=now |
| bucket        | Group events into time buckets       | index=logs \| bucket span=1h _time |

---

## 13) String Functions
| Command   | Description                              | Example |
|-----------|------------------------------------------|---------|
| substr    | Extract substring                        | index=logs \| eval short_message=substr(message,1,50) |
| len       | Length of string                         | index=logs \| eval msg_len=len(message) |
| toupper   | Convert to uppercase                     | index=logs \| eval up=toupper(message) |
| tolower   | Convert to lowercase                     | index=logs \| eval low=tolower(message) |

---

## 14) Math Functions
| Command | Description                                | Example |
|---------|--------------------------------------------|---------|
| round   | Round number                               | index=metrics \| eval r=round(value) |
| abs     | Absolute value                             | index=metrics \| eval abs_val=abs(change) |
| sqrt    | Square root                                | index=metrics \| eval sq=sqrt(number) |
| power   | Raise to power                             | index=metrics \| eval sq=power(value,2) |
| log     | Natural log / base10 log                   | index=metrics \| eval ln=log(value) |

---

## 15) Conditional Functions
| Command    | Description                        | Example |
|------------|------------------------------------|---------|
| if()       | Returns values based on condition  | index=logs \| eval status_type=if(status>=400,"Error","Success") |
| case()     | Multiple condition evaluation      | index=logs \| eval sev=case(severity=="High",3,severity=="Medium",2,severity=="Low",1) |
| coalesce() | First non-null value               | index=logs \| eval important=coalesce(field1,field2,field3) |

---

## 16) Logical Functions
| Command     | Description                      | Example |
|-------------|----------------------------------|---------|
| and/or/not  | Logical operators                | eval is_error=(severity=="High" OR status>=500) |
| like        | Pattern matching                 | eval is_error=like(message,"*error*") |
| mvfilter    | Filter multivalue fields         | eval tags=mvfilter(tag,like(tag,"*critical*")) |

---

## 17) Multivalue Fields
| Command    | Description                           | Example |
|------------|---------------------------------------|---------|
| mvexpand   | Expand multivalue fields              | index=events \| mvexpand tags |
| mvzip      | Zip multiple fields                   | eval combined=mvzip(field1,field2,",") |
| mvcount    | Count values in multivalue field      | eval count=mvcount(tags) |
| mvfind     | Search inside multivalue field        | eval has_error=mvfind(tags,"error") |

---

## 18) IP and Geo Functions
| Command         | Description                        | Example |
|-----------------|------------------------------------|---------|
| iplocation      | Geolocation for IPs                | index=logs \| iplocation clientip |
| cidrmatch       | Match IP against CIDR              | index=traffic \| cidrmatch(ip,"192.168.0.0/24") |
| isipv4/isipv6   | Check IP type                      | eval ipv4=isipv4(ip_address) |
| iptoname        | Map IP → hostname                  | eval host=iptoname(dest_ip) |


## 19 ) Geospatial Functions
| Command       | Description                                     | Example |
|---------------|-------------------------------------------------|---------|
| geostats      | Generates geospatial statistics/visualizations  | index=locations \| geostats count by city |
| geodistance   | Calculates distance between coordinates         | index=locations \| eval distance_km=geodistance(lat1, lon1, lat2, lon2, "km") |
| geobounds     | Calculates bounding box of coordinates          | index=locations \| geobounds latfield=latitude lonfield=longitude |
| geopoint      | Converts lat/long to geopoint field             | index=locations \| eval geopoint=geopoint(latitude, longitude) |
| geom_distance | Distance between two geopoints                  | index=locations \| eval distance_km=geom_distance(geopoint1, geopoint2, "km") |

---

## 20) Advanced Transformations
| Command              | Description                                         | Example |
|----------------------|-----------------------------------------------------|---------|
| spath                | Extract JSON/XML structured data                    | index=logs \| spath input=raw output=uri path=uri |
| spath output path    | Extracts specific path as a field                   | index=logs \| spath input=raw output=page path=uri |
| spath output default | Extracts with default value if path not found       | index=logs \| spath input=raw output=page path=uri default="Unknown" |
| spath input/output default | Extracts with path + default value            | index=logs \| spath input=raw output=status_code path=code default="N/A" |

---

## 21 ) Conditional Transformations
| Command      | Description                           | Example |
|--------------|---------------------------------------|---------|
| case()       | Conditional evaluation returning values | index=logs \| eval priority=case(severity=="High","Urgent", severity=="Medium","Normal", true(),"Low") |
| if()         | Returns values based on condition     | index=logs \| eval alert_level=if(severity=="High","Critical","Normal") |
| coalesce()   | Returns first non-null value          | index=logs \| eval important_info=coalesce(critical_message,warning_message,info_message) |

---

## 22) Timechart and Chart Functions
| Command       | Description                                | Example |
|---------------|--------------------------------------------|---------|
| timechart span| Time-based charts with span                | index=web_logs \| timechart span=1h sum(response_time) |
| chart usenull | Include/exclude NULL values in charts      | index=logs \| chart count by user usenull=f |
| chart overlay | Overlay charts based on fields             | index=web_logs \| chart count over status by host |
| chart span    | Charts with span for fields                | index=events \| chart count by user span=1d |
| chart stack   | Generate stacked charts                    | index=web_logs \| chart count stack by status |
| chart bins    | Histogram-style charts with bins           | index=metrics \| chart count bins=10 by value |

---

## 23) Advanced Analysis and Correlation
| Command    | Description                                 | Example |
|------------|---------------------------------------------|---------|
| stats first/last | Retrieves first and last field values | index=events \| stats first(_time) as first_event last(_time) as last_event by user |
| eventstats | Performs stats on events and adds fields    | index=transactions \| eventstats avg(amount) as avg_amount by user |
| rare       | Identifies rare values in a field           | index=errors \| rare error_code |
| dedup      | Removes duplicate events by fields          | index=logs \| dedup user, ip_address |
| multikv    | Extracts key=value pairs from fields        | index=logs \| multikv fields key1, key2 |
